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L7 ANSWER 1 QF^-TO^USPATFULL 

TI Syst^nrfand method for securing a program's execution in a network 

emrlronment ) 
PI 6351816 / Bl 20020226 

RLI yivision of Bmr . No. US 1996-652703, filed on 19 May 1996 
SUMM Written in a/general purpose language such as Java . RTM . , an applet is in 
khis way unrestrained in its functionality. It can perform any function 
wni^^i^a^pfogram written in any other general purpose language (such as C 
or PL1) can accomplish. The methodologies of applets, however, are 
constrained by the Java. RTM. environment in order to minimize the 
security risks an applet presents to the workstation 150. That is to 
say, an applet is restricted to "play" within a bounded "sandbox 



DETD Because servers are typically accessed orders of magnitude more 

frequently than a client workstation, maintaining the integrity of the 
server executing a servlet becomes even more critical than maintaining 
the integrity of the client executing an applet. Corruption on a server 
can spread quite rapidly to any number of clients. Should corruption 
pass among servers, the rate of corruption of clients can increase 
exponentially. The sandbox of the servlet is appropriately 
restricted. 

DETD In the Hot Java . RTM . browser mentioned above, the boundaries of the 
sandbox for an applet are as follows: An applet may not read, 
write or inquire into the status of any filesystem on the client 
workstation 150. An applet from an server, say, 120b running on the 
workstation 150 can not access any other processor 120a, 120n, 150 over 
the network 160 other than its server processor 12 0b. An applet cannot 
load a library from either its server processor 12 0 or the workstation 
150. An applet cannot initiate the execution of a process. An applet 
cannot examine the properties of any resource on the workstation 150. 

DETD To assist in the enforcement of the boundaries of the sandbox 

of an applet, the assignee of the instant invention has developed a 
suite of protocols for the development and execution of applets: the 
Java. RTM. development environment (or Java. RTM. Development Kit) . The 
development environment includes a number of packages ("lang," "io, " 
"net," "util," "awt" and "applet"). To the extent an applet needs 
language, I/O, network, utility, windowing or application support, the 
application must resort to the methods available through the classes 
provided by one or some of the packages of the Java. RTM. development 
environment . 

NCL NCLM: 713/201.000 




US PAT FULL 

icement for untrusted executable code 
Bl 20010814 

19970828 (8) <-- 
/cutable code programs (applets or controls) are written in 
lative, directly executable code. The executable code is loaded into a 
^re-allocated memory range (sandbox) from which references to 
oxttrsd^e memory are severely restricted by checks (sniff code) added to 
the executable code. Conventional application-program interface (API) 
calls in the untrusted code are replaced with translation-code modules 
(thunks) that allow the executable code to access the host operating 
system, while preventing breaches of the host system's security. Static 
links in the code are replaced by calls to thunk modules. When an API 
call is made during execution, control transfers to the thunk, which 
determines whether the API call is one which should be allowed to 
execute on the operating system. 
SUMM The present invention implements a security policy for untrusted 
executable code written in native, directly executable code. The 
executable code is loaded into a pre-allocated memory range, or 
sandbox, from which references to outside memory are restricted. 
Checks ("sniff code") added to the executable code enforces these 
restrictions during execution. Conventional application-program 
interface (API) calls in the untrusted code are replaced with 
translation-code modules ("thunks") that allow the executable code to 
access the host operating system, while preventing breaches of the host 
system's security. Static links in the control or applet are replaced by 
calls to thunk modules. When an API call is made during execution, 
control transfers to the thunk, which determines whether the API call is 
one which should be allowed to execute on the operating system or not. 



DRWD FIG. 4 is a simplified block diagram of a sandbox area in 
memory . 

DETD When an applet such as 362 is to be executed, a host program 36 such as 
an Internet web browser invokes emulator 39. The emulator employs its 
own loader module 3 96 to load the applet code into a predetermined 
memory area, and to assign another predetermined memory area for its 
use. These areas are called the "sandbox" for that applet. 
During execution of the applet, emulator 3 9 compiles the applet's code 
in a compiled cache which resides outside the sandbox. During 
the compilation p ' 
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TI System and method for securing a program's execution in a network 

environment 
PI US 6263442 Bl 20010717 

AI US 1996-652703 19960530 (8) <-- 

SUMM Written in a general purpose language such as Java, an applet is in this 
way unrestrained in its functionality. It can perform any function which 
a program written in any other general purpose language (such as C or 
PL1) can accomplish. The methodologies of applets, however, are 
constrained by the Java environment in order to minimize the security 
risks an applet presents to the workstation 150. That is to say, an 
applet is restricted to "play" within a bounded "sandbox." 

DETD Because servers are typically accessed orders of magnitude more 

frequently than a client workstation, maintaining the integrity of the 
server executing a servlet becomes even more critical than maintaining 
the integrity of the client executing an applet. Corruption on a server 
can spread quite rapidly to any number of clients. Should corruption 
pass among servers, the rate of corruption of clients can increase 
exponentially. The sandbox of the servlet is appropriately 
restricted. 

DETD In the Hot Java browser mentioned above, the boundaries of the 
sandbox for an applet are as follows: An applet may not read, 
write or inquire into the status of any filesystem on the client 
workstation 150. An applet from an server, say,- 120b running on the 
workstation 150 can not access any other processor 120a, 120n, 150 over 
the network 160 other than its server processor 120b. An applet cannot 
load a library from either its server processor 120 or the workstation 
150. An applet cannot initiate the execution of a process. An applet 
cannot examine the properties of any resource on the workstation 150. 

DETD To assist in th 
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TI Meimoia>and Apparatus for providing security for servers executing 

amplication /programs received via a network 
PI US 6167522 J 20001226 

AI UB 1997-82Sf990 19970401 (8) <-- 

SUMM ATmethody^nd apparatus for providing security for a server executing 
prograjHS received by the server via a network is disclosed. An 
ap^Ttication program that is to be provided by a Web server along with a 
source identifier is received by the Web server via a network, such as 
the Internet. Before loading the application program, the server 
performs a verification procedure including granting access privileges 
based on the source identifier. Access privileges are granted or 
withheld for a plurality of resources available to the server. If an 
application program is received from a known hostile source or no access 
privileges are granted, the applications program may be rejected. Thus, 
the resources defining the application program's universe, or 
sandbox, is determined individually based on source identifiers. 

DETD Before loading the application program, the server performs a 

verification procedure including granting access privileges based on the 
source identifier. Access privileges are granted or withheld for 
resources available to the server. If an application program is received 
from a known hostile source, or if no access privileges are granted, the 
applications program may be rejected. Thus, the resources defining the 
application program's universe, or sandbox, are determined 
individually based on source identifiers. 

DETD Once the byte-codes have been verified, they are translated into 

servlets configured to run on the architecture of Web server 150. The 
servlet is then loaded into the servlet ' s sandbox (i.e., a 
known, bounded area in memory and granted access only to those specific 
resources listed in the ACL) . Once the servlet is loaded in Web server 
150, Web browser 170 may access the servlet and any resources available 
to the servlet. Thus, resource privileges are granted on a 
servlet-by-servlet basis, which increases the flexibility of a Web 
server's security. This improved flexibility allows administrators to 
grant more privileges to known and trusted sources, while granting fewer 
privileges to new or unknown sources. By eliminating an all-or-nothing 
security approach, the web may offer more resources in a more convenient 
manner . 

DETD If no access privileges are granted in step 320, the servlet is rejected 
or not loaded in step 330. If the servlet is granted access privileges 
in step 320, a sandbox is defined for the servlet in step 340. 
A sandbox defines the set of access privileges granted to the 
servlet . 

DETD In step 350, the servlet is loaded by Web server 150. In addition to 
limitations imposed on a servlet by the sandbox to which it is 
assigned, other checks may be performed. For example, accesses to 
certain resources may be monitored by the server to guard against 
hostile behavior. 

DETD Thus, by providing identity-based access controls, a Web server can 
control which servlets have access to which data. This arrangement 
provides protection against theft or alteration of data. In addition, by 
restricting a servlet to 
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TI Applet redirection for controlled access to non-orginating hosts 

PI US 5987523 19991116 

AI US 1997-868611 19970604 (8) <-- 

SUMM A significant restriction of such applets is that the standard Java 
model only allows the applets to talk to the servers they were 
downloaded from. This is referred to as the Java "sandbox" 
security restriction. It provides some security benefits but also 
severely restricts Java use for some applications. For example, this is 
undesirable for applets whose main purpose is connectivity where the 
goal is to accomplish communications with many other systems in the 
network (networking applets) . Recent Java releases such as the Java 
Development Kit (JDK) version 1.1 provide a solution to this called 
trusted applets, but this solution does not work for all scenarios. 
First, it does not address users of prior JDK versions such as 1.02. 
Second, leading web browsers have yet to fully comply with JDK 1.1. 
Third, and most importantly, network administrators do not want their 
users to connect to any arbitrary host in their network. Instead they 
want the flexibility of multi-host applet communication with the 
advantage of administrative control and security capabilities. No 
solution is available which provides all of these advantages. 

DRWD FIG. 1 depicts a basic network environment with sandbox 

restriction (Prior Art) . 
DETD The example network shown in FIG. 1 represents networking applet 

capabilities with the present Java sandbox security 

restriction. Using a Web client (101) such as a Java-enabled web browser 
or Java applet viewer, a user runs applets (102) dynamically downloaded 
from a Web server (103) . However, due to the sandbox 

restriction the applet can only communicate with that originating server 
(103) . Applications and resources on the server (104) can be used by the 
applet to store information or help complete its tasks, but the applet 
is not allowed to access other servers that may be on the network. As 
previously mentioned, recent advancements in the Java standard define 
the framework for trusted applets that can access other resources, but 
this approach is not widely supported by today's browsers and, more 
importantly, it does not provide administrative control over what 
resources an applet can access. 
DETD FIG. 3 shows users A and B on Web clients (301 & 3 06) that use the 

present invention's redirector (303) function to access a host server 
(305) . For clari 
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TI Security monitor 

PI US 5974549 19991026 

AI US 1997-825102 19970327 (8) <-- 

AB The present invention is a method of creating a secure sandbox 

within which a plurality of downloaded software components can execute 
in a secure manner. The software components can be of any type, e.g., 
Java, ActiveX, Netscape plugin, etc. The invention implements a security 
monitor that is injected to the address space of an arbitrary monitored 
application such as a Web browser, e.g., Internet Explorer, Netscape 
Navigator, etc. The monitored application then executes in a secure mode 
in which every software component downloaded executes in a secure 
sandbox. The security monitor detects when such a software 
component is downloaded and is operative to create the sandbox 
around it before it is permitted to execute. If the software component 
attempts to commit an action that breaches security, it halts the 
software component's execution and issues a warning to the user. The 
security monitor detects attempted security breaches by the software 
component in accordance with a user configurable security policy. Such a 
policy may include limiting file read/write access, access to 
directories, disk access, creation and the reading/writing of network 
connections, access to system resources and services and access to the 
address spaces of other processes. 
SUMM These security implications are known and different approaches have been 
taken to solve them. The Java programming language and environment were 
designed from the ground up with security in mind. Java applets execute 
in what is termed a secure "sandbox, "* which is a run time 
environment in which applets are prevented from executing certain 
actions. For example, Java applets are not permitted to access local 
storage, modify system parameters or to establish a network connection 
to an untrusted site. 

SUMM The present invention is a method of creating a secure sandbox 

within which a plurality of downloaded software components can execute 
in a secure manner. The software components can be of any type, e.g., 
Java, ActiveX, Netscape plugin, etc. The invention implements a security 
monitor that is injected to the address space of an arbitrary monitored 
application such as a Web browser, e.g., Internet Explorer, Netscape 
Navigator, etc. The monitored application then executes in a secure mode 
in which every software component downloaded executes in a secure 
sandbox. The security monitor detects when such a download of a 
software component occurs and is operative to create the sandbox 
around it before it is permitted to execute. If the software component 
attempts to commit an action that breaches security, it halts the 
software component's execution and issues a warning to the user. 
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TI Code/cert if ideation for network transmission 

PI US /5892904 / 19990406 

AI Us/l996-76l484 19961206 (8) <-- 

SUMM One approach to addressing this problem is to create a protective and 
paoliedr^irtual machine on the software recipient's computer. Such a 
virtual machine, which is often referred to as a playpen or 
sandbox, allows untrusted, possibly malicious code to be 
executed without fear that it could cause any unauthorized or 
unwarranted actions. This approach is an outgrowth of the security 
architecture in existing computer operating systems. A problem with this 
approach is that it is extraordinarily difficult to create a 
sandbox that is actually secure against malicious code. 
Unexpected security holes are commonly discovered in supposedly secure 
operating systems that use this method. 



SUMM But even assuming that this difficulty could be overcome, a fundamental 
quandary with the sandboxing approach is that there is a very strong 
tension between creating a sandbox safe enough to run perhaps 
malicious code, but yet with sufficient access to system resources to be 
capable of performing useful operations. For example, sandboxed 
code that is allowed to make network connections off of a host machine 
(e.g., TCP, FTP, EMail, or otherwise) should not have access to any 
information on the machine that is to be kept private. As other 
examples, some system utilities such as a disk defragmenter or an 
indexing utility that locates the lost documents on a hard disk would 
likely be inoperable as sandboxed code. A sandbox 

that successfully protected against the damage these utilities might 
possibly cause would prevent them from carrying out their intended 
purpose . 
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TI Method and system for mounting a system partition as a logical drive 

while an operating system is operational by modifying a partition table 
PI US 5974517 19991026 

AI US 1996-710360 19960917 (8) <-- 

DETD The executive services system 602 includes the set of services including 
I/O manager 610, object manager 612, security reference 

monitor 614, process manager 616, local procedure call facility 618, and 
virtual memory manager 620. These services 610-620 are the interface 
between user-mode environment subsystems and the kernel 608. The I/O 
manager 610 manages all input and output for the Windows NT operating 
system 600, The object manager 612 provides uniform rules for retention, 
naming and security of objects. The security 
reference monitor 614 ensures that applications 
cannot access system resources without authorization. The 
process manager 616 manages the creation and deletion of processes. The 
local procedure call facility 618 manages local procedure calls (LPC) 
which involves message passing between applications and the environment 
subsystems. The virtual memory manager 620 manages the translation of 
virtual addresses to physical pages in memory. 
NCL NCLM: 711/173.000 

NCLS: 711/112.000/ 713/001.000; 713/100.000 
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Security shield implementation in computer system's software 
>6/ 19990720 

J0290 19970318 (8) <-- 

*nt invention uses software methodology to place a 
shield in front of any computer system software 
by placing controls and monitors in front of all 
access paths to the computer system software. The present 
invention utilizes computer software to implement a method software call 
interception technique to provide a simple yet secure method 
to place controls and monitors in access paths of computer system 
resources. The present methodology protects and monitors 
access to resources such as files, directories, programs 
, operator commands, systems and network services, all without modifying 
the operating system or system binaries. The two call interception 
techniques provide controls for both operating system requests, such as 
UNIX system calls, and interactive commands, such as telnet, rsh, and 
ftp. The present method provides a security methodology for 
open systems that is transparent to the users and is done without direct 
modification to the underlying operating system and environment, while 
providing adequate security, which is difficult to remove, and 
which is comprehensive and simple to implement and manage. 



DETD An advance security monitor (ASM) module for audits and 

monitors of selective operation system events may be configured to audit 
an monitor selected activities based on users, processes, programs, and 
targeted files on designated systems. For example, ASM can be used to 
monitor all privileged access from Superusers and 
" setuid root" programs and processes, or to monitor 
all accesses to a sensitive file or program. 

NCL NCLM: 713/200.000 
NCLS: 713/201,000 



